Apparatus and Method for Social Account Access Control

ABSTRACT

A computer implemented method includes monitoring changes to an account accessible by a group of subscribers that form a social network. The changes to the account are compared to a normative base line to identify deviations from the normative base line. An alert is sent in response to deviations from the normative base line. The normative base line is defined by metadata gathered through an application program interface associated with the account, account entity data and a set of predefined rules.

FIELD OF THE INVENTION

This invention relates generally to access control in computer networks. More particularly, this invention relates to techniques for social account access control.

BACKGROUND

A social networking service is an online service, platform, or site that focuses on facilitating the building of social networks or social relations among people who, for example, share interests, activities, backgrounds, or real-life connections. Social networking services, platforms and sites include Facebook®, Google+®, LinkedIn®, Twitter®, YouTube®, Xing®, and many others, collectively constituting over a billion users. They have become so pervasive that they are commonly used by organizations to advertise and otherwise communicate with their target audiences.

A social account is a communication portal on a social networking platform. An account can be owned by an individual or it can be owned by an employee of a company for the sole purpose of broadcasting information about the company or its products. Creating accounts on these social networks is relatively simple and allows individual users to create presences on those social networks for the organization's products, brands and initiatives. At the same time, granting additional individuals and other applications administrative access to a social account or multiple social accounts is also simple and very common. These social accounts and the activities on them become very valuable forums for communicating directly with key audiences of the organization from employees and potential employees to influencers, prospective customers, and actual customers of the organization. Ensuring the integrity of the accounts is as important as protecting the integrity of content published on an organization's website.

The social networking platforms themselves provide basic means to ensure that only authorized users can modify the settings and content on specific accounts, typically through simple passwords. However, as with any system that relies on a user to provide a password for authentication, unauthorized access can be gained by an individual by stealing that password through any of a multitude of well-known means: stealing the password by hacking the social network itself, phishing, malware, social engineering, shoulder surfing, etc. Once an unauthorized individual has password access, he can publish unauthorized content that might defame the organization or harass its users, revoke access for other authorized users, or even delete the account.

Further, unauthorized changes can also be made as a result of mistakes and poor coordination by authorized users across multiple social networks and via direct account access and via third party applications authorized on a particular social account or set of social accounts. This occurs where authorization is formalized as part of a written policy that doesn't provide granular access policies to meet the requirements of the organization across multiple accounts. For example, a platform like Facebook® makes it very easy to add additional users as administrators to page accounts in a way that makes it easy to contravene standards that may be set by an organization around administrative access. This adds to the risk and likelihood of accounts being inappropriately changed. For example, FIG. 1 shows how in Facebook a page administrator can simply select from a list of people who ‘Like’ that page and add them as an Admin for that account. This is regardless of their affiliation with the owner of the page. This is a prime example of how and why it is difficult for organizations to maintain the integrity of management over their social accounts.

Thus, there is a need to detect and prevent unauthorized changes to social accounts, notify proper authorities when changes occur, prevent them where possible, and mitigate the affects by removing content or reinstating settings.

SUMMARY OF THE INVENTION

A computer implemented method includes monitoring changes to an account accessible by a group of subscribers that form a social network. The changes to the account are compared to a normative base line to identify deviations from the normative base line. An alert is sent in response to deviations from the normative base line. The normative base line is defined by metadata gathered through an application program interface associated with the account, account entity data and a set of predefined rules.

BRIEF DESCRIPTION OF THE FIGURES

The invention is more fully appreciated in connection with the following detailed description taken in conjunction with the accompanying drawings, in which:

FIG. 1 illustrates a problem associated with prior art social account access controls.

FIG. 2 illustrates the construction of a normative base line for a social account in accordance with an embodiment of the invention.

FIG. 3 illustrates metadata collected in accordance with an embodiment of the invention.

FIG. 4 illustrates a monitoring processing utilized in accordance with an embodiment of the invention.

FIG. 5 illustrates content reversion employed in accordance with an embodiment of the invention.

FIG. 6 illustrates administrator authorization changes employed in accordance with an embodiment of the invention.

FIG. 7 illustrates a computer configured in accordance with an embodiment of the invention.

Like reference numerals refer to corresponding parts throughout the several views of the drawings.

DETAILED DESCRIPTION

The invention provides techniques for authorized users of a social account to protect it from modifications by unauthorized individuals and to protect it from unintentional modifications by authorized users. The invention does this by first building a set of data that represents authorized and unauthorized changes to a social account. The set of data constitutes a normative base line.

FIG. 2 illustrates a process of obtaining metadata 200 from a social account 202. The metadata is maintained in a data store 204. Rules 206 governing authorized and unauthorized social account changes are also maintained in the data store 204.

The social account is then “locked” to that data set specified in the data store 204. In one embodiment, the data set includes at least one of:

(1) a “snapshot” of the metadata of the social account at a particular point in time. FIG. 3 provides an example of metadata that may be collected in accordance with an embodiment of the invention. In this embodiment, metadata is gathered by calling the application program interfaces (APIs) of the social network platform with an authorization (an OAuth token) provided by an administrative user of the social account. This metadata includes, but is not limited to, account settings, profile images, configuration information, list of users with administrative rights, lists of detailed permissions each of those users has, addresses, URLs, display names and identifiers; (2) configuration and rules provided by users, including, but not limited to, times of day and days of week or month that changes may be made, types of content that are allowed or disallowed, types or content or data elements that must or must not exist in published content, locations from which changes may or may not be made, third party applications that may or may not be used to make changes; (3) rules, regular expressions, machine learning algorithms and data, and heuristics either built offline via generic training sets or online via training sets built from the content and metadata of the social account itself, specifically, machine learning training sets that use aspects of the previous pattern of content posted to the social account, including, but not limited to: the words used in each post, the time of day posts are made, the social applications used to publish the content, and the geographic location that the content was posted from (all of which is queried by the invention through the APIs of the social networking platform), and (4) data pulled from data stores owned the company that owns the social account, including Lightweight Directory Access Protocol (LDAP) user directories.

The invention uses the data set described above in a process or set of processes that are monitoring the social account for changes, as shown in FIG. 4. In particular, FIG. 4 illustrates user changes 400 applied to a social account 202. A monitoring process 402 identifies the changes and accesses the data store 204 to evaluate their propriety. In particular, the monitoring process 402 compares change to an account to the normative base line to identify deviations from the normative base line.

In one embodiment, the invention monitors the social account 202 by calling the social networking platform's programmatic APIs to query the social account metadata and content on a periodic basis. When a change is detected, the process uses the data set, or a separate process that abstracts access to the data set, to determine whether or not the change is authorized. If the change is not authorized, the change event is logged and notifications are created within the system and sent via electronic communications (email, text message, instant message, message on a social account, etc) to administrators configured within the system. The administrators have the option to approve the change or not. If the change is not approved, the system will attempt to put back the original authorized setting or remove the unauthorized content. If the change is approved, the invention may update the “locked” data set accordingly to ensure that subsequent changes of the same type are considered authorized. If configured to do so, the invention may revert the affects on an unauthorized change by updating the social account to restore changed settings or remove unauthorized content in addition to notifying administrators, as depicted in FIG. 5.

The invention also periodically checks the list of administrative users of the social account and cross references that list against a set of user identities stored in an LDAP user directory owned and maintained by the company that owns the social account. If an administrator has been added that is not among the authorized set of users in the LDAP directory, the invention will remove that administrator or notify other administrators. If a user has been removed from the directory, the invention will remove that user's administrator credentials from the social account and notify other administrators, as shown in FIG. 6.

The invention may also implicitly update the “locked” data set when an authorized user modifies the social account through a means that is implicitly trusted by the system, such as publishing content via the system itself

FIG. 7 illustrates a computer 700 configured in accordance with an embodiment of the invention. The computer 700 includes a central processing unit 710 that communicates with a set of input/output devices 712 over a bus 714. The input/output devices 712 may include a keyboard, mouse, display and the like. A network Interface circuit 716 is also connected to the bus 714. Thus, the computer 700 can operate in a networked environment, for example, to interface with various users and social networks.

A memory 720 is also connected to the bus 714. The memory 720 stores the previously described data store 204 and monitoring process 402. The invention may be implemented on one or many computers. It is the operations of the invention that are significant, not the particular mechanism for implementing those operations.

There are examples of social account tampering that the invention will act upon. For example, on Oct. 3, 2012, an administrator for KitchenAid's social account on Twitter posted an inappropriate Tweet about Barack Obama. The invention would have detected that the content of this Tweet was dissimilar from the content of previous Tweets, and would have removed the Tweet and notified the other social account administrators.

On Aug. 5, 2012, a pro-Syria group hacked a Reuter's social account on Twitter, changed the screen name and then made pro-Syria posts. The invention would have detected the screen name had changed from the screen name set as part of the social account “snapshot”, then would have notified the social account owners, restored the screen name, and removed subsequent Tweets.

On Feb. 27, 2011, the blogger for Digital Inspiration had his social account on Facebook hacked. The hacker changed the password to lock out the legitimate owner. The invention would have detected that the password had been changed on the account, would have notified the account owner and removed any subsequent posts and comments.

An embodiment of the present invention relates to a computer storage product with a computer readable storage medium having computer code thereon for performing various computer-implemented operations. The media and computer code may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well known and available to those having skill in the computer software arts. Examples of computer-readable media include, but are not limited to: magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROMs, DVDs and holographic devices; magneto-optical media; and hardware devices that are specially configured to store and execute program code, such as application-specific integrated circuits (“ASICs”), programmable logic devices (“PLDs”) and ROM and RAM devices. Examples of computer code include machine code, such as produced by a compiler, and files containing higher-level code that are executed by a computer using an interpreter. For example, an embodiment of the invention may be implemented using JAVA®, C++, or other object-oriented programming language and development tools. Another embodiment of the invention may be implemented in hardwired circuitry in place of, or in combination with, machine-executable software instructions.

The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the invention. However, it will be apparent to one skilled in the art that specific details are not required in order to practice the invention. Thus, the foregoing descriptions of specific embodiments of the invention are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed; obviously, many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications, they thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the following claims and their equivalents define the scope of the invention. 

What is claimed is:
 1. A computer implemented method, comprising: monitoring changes to an account accessible by a group of subscribers that form a social network; comparing the changes to the account to a normative base line to identify deviations from the normative base line; and sending an alert in response to deviations from the normative base line; wherein the normative base line is defined by metadata gathered through an application program interface associated with the account, account entity data and a set of predefined rules.
 2. The computer implemented method of claim 1 wherein monitoring changes to the account includes monitoring application program interface calls to the account.
 3. The computer implemented method of claim 1 wherein the metadata includes at least three of the following: account settings, profile images, list of users with administrative rights, permissions associated with the list of users, display names and identifiers.
 4. The computer implemented method of claim 1 wherein the account entity data includes Lightweight Directory Access Protocol (LDAP) user directories.
 5. The computer implemented method of claim 1 wherein the set of predefined rules specify permissible times for changes to the account, types of changes permissible for the account, permissible content for the account and applications with permission to make changes to the account.
 6. The computer implemented method of claim 1 wherein the set of predefined rules include machine learning training sets that evaluate previous patterns of content posted to the account.
 7. The computer implemented method of claim 1 further comprising restoring the account to a prior state in response to deviations from the normative base line. 